(Reuters) — Britain’s markets watchdog has fined Tesco PLC £16.4 million ($21.4 million) for failing to protect account holders at its bank from a “foreseeable” cyber attack two years ago.

The Financial Conduct Authority said that in November 2016 cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card and in its financial crime controls.

“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26 million,” the FCA said in a statement on Monday.

It was the watchdog’s first fine for cyber failings. Ensuring lenders become more resilient to cyber attacks has also become a priority for the Bank of England.

Separately, Tesco said it fully accepted the FCA’s findings and agreed to a settlement of 16.4 million pounds.

“The FCA recognized... that, once senior management were aware, Tesco Bank responded quickly to stop the fraudulent transactions, updating customers regularly and deploying significant resources to return customers to their previous financial position,” the supermarket group said.

Tesco apologized to its customers and said it has significantly enhanced its security measures.

Kyle Hastings, a cyber risk partner at Parker Fitzgerald, said the fine was a warning to all banks to make cyber security a central priority rather than an issue for its IT unit.

“This contrasts with regulators’ expectations and the prospect that, as an expanding part of operational risk, cyber could attract greater prudential scrutiny and potential capital charges,” Mr. Hastings said.

Mark Steward, the FCA’s executive director for enforcement, said the size of the fine reflected the watchdog’s “no tolerance” policy for banks that failed to protect customers from foreseeable risks.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” Mr. Steward said. “This was too little, too late. Customers should not have been exposed to the risk at all.”